b'    Audit of NARA\xe2\x80\x99s\n   Photocopier Security\n\n\nOIG Audit Report No. 11-07\n\n\n      March 22, 2011\n\x0cTable of Contents\n\n\nExecutive Summary ...................................................................................... 3\n\nBackground ................................................................................................... 5\n\nObjectives, Scope, Methodology .................................................................. 6\n\nAudit Results ................................................................................................. 7\n\nAppendix A \xe2\x80\x93 Photocopiers With Hard Drives........................................ 17\n\nAppendix B - Standard Form 120- Excess Property Report .................. 18\n\nAppendix C - Acronyms and Abbreviations ............................................ 19\n\nAppendix D - Management\xe2\x80\x99s Response to the Report ............................ 20\n\nAppendix E - Report Distribution List ..................................................... 21\n\x0c                                                                          OIG Audit Report No. 11-07\n\n\nExecutive Summary\n\nThe National Archives and Records Administration (NARA) Office of the Inspector\nGeneral (OIG) performed an audit of NARA\xe2\x80\x99s Photocopier Security. The objective of\nthe audit was to determine if appropriate security measures were in place to safeguard\nand prevent inappropriate release of sensitive information and Personally Identifiable\nInformation (PII) residing on NARA photocopiers that contain hard drives. Specifically\nour review focused on whether (1) NARA used photocopiers that contained hard drives\ncapable of retaining sensitive information and (2) actions taken by NARA to mitigate\nrisks posed by the potential exposure of this sensitive information were adequate.\n\nAn April 2010, CBS investigative news report exposed the potential privacy risks arising\nfrom sensitive and PII information left on the hard drives of excessed photocopiers that\nwere not sanitized prior to disposal. When multiple copies of a document are made,\nusing a photocopier that has a hard drive, the document is scanned once and copies are\nmade from the file that has been saved on the hard drive. The residual data on the hard\ndrive can be accessed, potentially exposing sensitive or PII which could lead to identity\ntheft or fraudulent use of the information. The CBS news investigation found that hard\ndrives of disposed photocopiers contained a plethora of sensitive, confidential, and PII\ndata that was easily retrievable from the photocopier\'s hard drives.\n\nOur audit found that opportunities exist to strengthen controls to ensure photocopier hard\ndrives are protected from potential exposure. Specifically, we found the following\nweaknesses.\n\n    \xe2\x80\xa2    NARA lacks appropriate controls to ensure all photocopiers across the agency are\n         accounted for and that any hard drives residing on these machines are tracked and\n         properly sanitized or destroyed prior to disposal.\n\n    \xe2\x80\xa2    There are no policies documenting security measures to be taken for photocopiers\n         utilized for general use nor are there procedures to ensure photocopier hard drives\n         are sanitized or destroyed prior to disposal or at the end of the lease term.\n\n    \xe2\x80\xa2    Photocopier lease agreements and contracts do not include a \xe2\x80\x9ckeep disk\xe2\x80\x9d 1 or\n         similar clause as required by NARA\xe2\x80\x99s IT Security Methodology for Media\n         Protection Policy version 5.1.\n\nDuring the entrance conference for this review, management informed the OIG that they\nwere aware of the potential risks posed by not properly sanitizing photocopier hard drives\nprior to disposal and had initiated action to address the risks. Specifically, in May 2010,\nNARA\xe2\x80\x99s Office of General Council (NGC) began efforts to identify photocopier\n\n1\n \xe2\x80\x9cKeep Disk\xe2\x80\x9d clause is language within a contract that allows retention of a hard drive should it fail and\nneed to be replaced.\n                                             Page 3\n                          National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 11-07\n\n\ncontracts and agreements across the agency in order to update them to include\nappropriate security language. Photocopier contracts (whether they have a hard drive or\nnot) are being modified to contain a "keep your hard drive" clause in accordance with\nsection 6 of NARA\'s IT Security Methodology for Media Protection Policy version 5.1.\nHowever, at the end of our fieldwork, NGC reported only 15 of the 79 agreements\nidentified by management have been modified.\n\nThis report contains seven recommendations for addressing our findings. The\nrecommendations in this report, upon adoption, will assist NARA in providing\nappropriate administrative, technical, and physical safeguards over sensitive information\nand PII as required by the Privacy Act.\n\n\n\n\n                                        Page 4\n                     National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 11-07\n\n\nBackground\n\nAn April 2010, CBS investigative news report brought attention to the potential privacy\nrisks arising from the fact that photocopiers can store digital images of items copied on\ninternal hard drives. The investigation found disposed photocopiers contained a plethora\nof sensitive, confidential, and PII data that was able to be retrieved from photocopier\'s\nhard drives.\nSince 2002, many photocopiers have been manufactured to contain a hard drive with the\ncapability of electronically storing images of documents copied, scanned, or emailed.\nUsually when several copies of a document are made, the document is scanned just once\nand the copies are made from the file that has been saved on the hard drive. The residual\ndata can be accessed by removing the hard drive from the photocopier and connecting it\nto a PC. The hard drive requires special sanitization in order to mitigate the risk of\nunauthorized disclosure of information and to ensure its confidentiality. NARA\xe2\x80\x99s IT\nSecurity Methodology for Media Protection Policy version 5.1 states that information\nsystem media, which includes hard drives, must be sanitized prior to disposal or release.\nSanitization techniques including clearing, purging, and destroying media information\nwould prevent the disclosure of NARA sensitive information when the hard drive is\nreused or disposed.\n\nSafeguarding PII is important to protect individuals, maintain public trust and confidence\nin an organization, and protect the reputation and any legal liability of an organization.\nFor Federal government agencies the Privacy Act of 1974 requires them to establish\nappropriate administrative, technical and physical safeguards to ensure the security and\nconfidentiality of records and to protect against any anticipated threats or hazards to their\nsecurity or integrity which could result in substantial harm, embarrassment,\ninconvenience, or unfairness to any individual on whom information is maintained.\nNARA has responsibility to appropriately safeguard sensitive data and PII, including PII\non hard drives of photocopiers. PII retained on unprotected hard drives could potentially\nbe exposed and lead to identity theft or fraudulent use of the information. In May 2010,\nNARA\xe2\x80\x99s Office of General Council (NGC) began efforts to identify photocopier\ncontracts and agreements across the agency in order to update them to include\nappropriate security language. Photocopier contracts (whether they have a hard drive or\nnot) are being modified to contain a "keep your hard drive" clause in accordance with\nsection 6 of NARA\'s IT Security Methodology for Media Protection Policy version 5.1.\n\nThe Acquisitions Services Division (NAA) within the Office of Administration (NA)\nmaintains responsibility for procuring and managing of general photocopiers across\nNARA. According the Director of NAA, the Office of Presidential Libraries (NL) and\nthe Office of Regional Records Services (NR) have the authority to procure and manage\ntheir own photocopiers.\n\n\n\n                                         Page 5\n                      National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 11-07\n\n\nObjectives, Scope, Methodology\n\nThe objective of this audit was to determine whether the appropriate security measures\nwere in place to safeguard sensitive information and PII residing on photocopier hard\ndrives upon disposal or while in possession of an outside vendor. Specifically our\nreview focused on whether (1) NARA used photocopiers that contain hard drives capable\nof retaining sensitive information and (2) that actions taken by NARA to mitigate risks\nposed by the potential exposure of this sensitive information were adequate. The audit\nincluded photocopiers across all NARA offices. However, all audit work was performed\nat Archives II in College Park, MD.\n\nWe examined applicable laws, regulations, and NARA guidance including (a) The\nPrivacy Act of 1974; (b) The Federal Information Security Management Act (FISMA) of\n2002; (c) National Institute of Standards and Technology (NIST) Special Publication\n800-88, Guidelines for Media Sanitization; (d) NARA Directive 1608 Protection of\nPersonally Identifiable Information (PII); (e) NARA\xe2\x80\x99s IT Security Methodology for\nMedia Protection; (f) Supplement to NARA 202, Classified Information Security\nProgram Handbook; (g) Transmission of Electronic Media to NARA sites; (h) Asset\nManagement Team Media Tracking and Disposal Plan; (i) Supplement to NARA 241,\nNARA Personal Property Operating Guide; and (j) NARA 236-1, Inventory of\nGovernment Accountable and Sensitive Property.\n\nTo accomplish our objectives we did the following:\n\n   \xe2\x80\xa2   Judgmentally selected a sample of NARA owned photocopiers and performed\n       research to determine if a hard drive was installed;\n   \xe2\x80\xa2   Reviewed disposal and excess property documents from 2005 through 2010 and\n       made inquiries with vendors to determine if the model had the capability of\n       having a hard drive;\n   \xe2\x80\xa2   Reviewed controls over classified photocopiers;\n   \xe2\x80\xa2   Reviewed photocopier contracts;\n   \xe2\x80\xa2   Held discussions with NARA employees and officials within the Office of\n       General Council (NGC), Office of Administration (NA), Office of Acquisition\n       Services (NAA), Facilities and Personal Property Management Division (NAF),\n       Office of Information Services (NH), and the Office of Regional Records Services\n       (NR);\n   \xe2\x80\xa2   Reviewed all network printers to identify those with hard drives.\n\nOur audit work was performed between July 2010 and October 2010. We conducted this\nperformance audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based\non our audit objectives. We believe that the evidence obtained provides a reasonable\nbasis for our findings and conclusions based on our audit objectives.\n                                        Page 6\n                     National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 11-07\n\n\nAudit Results\n\n1. Accountability and controls over photocopier inventory and\n   disposals require improvement\nNARA lacks appropriate accountability and adequate management controls to ensure all\nphotocopiers across the agency are accounted for and that any hard drives residing on\nthese machines are tracked and properly sanitized or destroyed prior to disposal.\nSpecifically our audit disclosed: (1) no complete agency-wide inventory of copiers exist,\n(2) copiers containing hard drives have not been identified, (3) copier purpose and use\nhave not been identified, and (4) disposal protocols were not adequate. These conditions\nexist because no group has been assigned responsibility for tracking all photocopiers\nacross the agency and ensuring that any photocopiers containing hard drives are properly\nsanitized prior to disposal. According to NARA\xe2\x80\x99s IT Security Methodology for Media\nProtection Policy version 5.1, NARA must sanitize or destroy information system media\nbefore disposal or release for reuse. In addition, NARA Directive 1608 Protection of\nPersonally Identifiable Information (PII) defines the rules to protect PII from\nunauthorized disclosure and emphasizes the role of NARA users in ensuring appropriate\nsafeguards are in place to protect all NARA systems containing PII. Furthermore,\naccording to NARA 236-1 Inventory of Government Accountable and Sensitive Property\nand NARA 241 NARA Personal Property Operating Guide, accountable property\nincludes borrowed or leased property as well as property having a unit cost of $3,000 or\nmore. Accountable property must be tracked and accounted for in the NARA Personal\nProperty Management System. As a result of the lack of accountability and controls,\nNARA is at risk of inappropriate release of sensitive information and PII data.\n\nDuring the course of our review, we interviewed management to determine who was\nresponsible for accounting for, tracking, and disposing of all photocopiers across the\nagency. No one office claimed responsibility. The Acting Assistant Archivist of NA\nstated that a complete listing of all photocopiers and related hard drives is just not\nmaintained. A property management officer within NAF stated that leased photocopiers\nare not considered accountable property and therefore they are not tracked and that hard\ndrive information was also not tracked by NAF. The Director of NAA indicated that\nNAA did not have a complete listing of all photocopiers across the agency because some\noffices procure photocopiers without going through NAA. He also stated that NAA\nwould not be responsible for maintaining such a list. The Acting Chief Information\nOfficer stated that since photocopiers are not considered computer equipment, they were\nnot responsible for the disposition of them. However, he stated that NH\xe2\x80\x99s disposition\npolicies for hard drives may apply. NGC also stated that they are not responsible for\ntracking this information. Although, NGC has recently taken on efforts to ensure\nphotocopier contracts include the appropriate security language, they have not attempted\nto identify individual photocopiers with hard drives to ensure the correct procedures are\nfollowed when disposing of them.\n\n                                        Page 7\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 11-07\n\n\nAdditionally, we also discussed the condition noted above with General Counsel and the\nActing Assistant Archivist for NA. Both agreed that the weaknesses cited represent\nsecurity vulnerabilities that needed management\xe2\x80\x99s attention to ensure appropriate controls\nare identified and put in place to mitigate the risk of potential exposure.\n\nWithout adequate accountability and controls, there is an increased risk of exposure of\nPII or sensitive information that could leave NARA vulnerable.\n\nNo complete agency-wide inventory of photocopiers exist\n\nThere is no complete accurate inventory of photocopiers across the agency and no one\noffice is assigned responsibility to maintain and track such an inventory. The OIG\nattempted to get a complete photocopier listing containing all photocopiers across the\nagency (owned and leased) from NAF and NAA and was not able to obtain a complete\naccurate list. NAF maintains a list of 144 leased photocopiers located within the\nArchives I, Archives II, St Louis, and Suitland offices and a list of 119 owned\nphotocopiers across the agency. However, these lists do not represent a complete\ninventory of all photocopiers (leased and owned) across the agency.\n\nWhen we asked whether a list of leased photocopiers in all offices existed, we were told\nthat leased copiers are not accountable property and therefore not inventoried or in the\nproperty management system. However, according to NARA 236-1 Inventory of\nGovernment Accountable and Sensitive Property and NARA 241 Personal Property\nOperating Guide, accountable property includes borrowed or leased property as well as\nproperty having a unit cost of $3,000 or more. Accountable property must be tracked and\naccounted for in the NARA Personal Property Management System. We discussed this\nwith the property management officer within NAF who agreed that leased photocopiers\nshould be tracked.\n\nNAF management maintains a list of 119 owned photocopiers across the agency in the\nPPMS system. However, through discussions and contact with various NARA personnel\nand offices we identified at least six additional NARA owned photocopiers that were not\non the NAF list (see below). All six machines had an acquisition cost of $3,000 or more\nand according to NARA 236-1 and 241 they should have been tracked and accounted for\nin the NARA Personal Property Management System.\n\n\n                                                                                 Acquisition\nCopier Make              Serial Number                 Location                  Cost\nCannon IR5000            MPL62529                      Morrow                    $3,286.56\nCannon IR5000            MPL09414                      Morrow                    $3,000.00\n                                                       Atlanta Federal\nCannon IR3300            MRJ03267                      Records Center             $3,166.68\n                                                       Atlanta Federal\nCannon IR4570            SKU1895                       Records Center             $3,868.32\n                                        Page 8\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 11-07\n\n\nCanon IR 3300G            MRJ02983                      Carter Library             $6,709.43\nKonica/Minolta\nbizhub C550               A00J011000421                 Bush Library               $11,364.30\n\n\nPhotocopiers containing hard drives have not been identified\n\nNeither the list of owned photocopiers nor the list of leased photocopiers obtained from\nNAF identified photocopiers with hard drives. We requested this information from NAF\nand were told this information was not known because no one was keeping track of it. To\nidentify whether any of the photocopiers had a hard drive installed, we took a sample of\n69 photocopiers from the list of 119 owned photocopiers acquired since 2005. We made\ninquiries with the photocopier manufacturers to determine if the photocopiers had hard\ndrives. We gave the manufacturers the make, model, and serial number to identify if the\nspecific model had a hard drive installed on it. In addition, we obtained information from\nthe NARA regional and library offices on leased or owned photocopiers with hard drives.\nOur analysis revealed a total of 34 photocopiers currently at NARA (both leased and\nowned) that have a hard drive installed on them. One of the 34 photocopiers identified as\nhaving a hard drive is used for classified reproduction (See appendix A). We could not be\nreasonably sure that this is a complete listing of all photocopiers across the agency that\ncontains hard drives since there is no tracking of all photocopiers across the agency.\n\nWithout having a complete list of all photocopiers across the agency and whether they\ncontain a hard drive, NARA is lacking the administrative safeguards to protect PII that\nmay reside on photocopiers hard drives.\n\nPhotocopier purpose and use have not been identified\n\nThe lists of owned and leased photocopiers we obtained from NAF did not indicate\nwhether the photocopiers were used for classified or general copying. This would be of\nimportance to NAS since they are responsible for tracking classified information. The\nlists did not document where classified photocopiers were located and who was\nresponsible for them. There are additional controls and security measures that are to be in\nplace for classified photocopiers. Specifically the following additional controls and\nsecurity measures are required.\n\n   \xe2\x80\xa2   Classified reproduction equipment must be located in a secure area or, access\n       must be restricted while copying is in progress.\n   \xe2\x80\xa2   All machines used for classified reproduction should incorporate as many security\n       design features as possible (e.g., lock, copy counter, removable hard drives,\n       encryption of data prior to being stored in memory and on hard drive, all memory\n       automatically cleared after copy).\n   \xe2\x80\xa2   Photocopiers located outside of secure areas that are authorized for classified\n       reproduction must not have hard drives or the capacity to retain memory or\n       images.\n\n                                        Page 9\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 11-07\n\n\n   \xe2\x80\xa2   Classified photocopiers must be sanitized before allowing maintenance personnel\n       access to the machine. Copier maintenance personnel must be escorted and\n       closely monitored by appropriately cleared NARA staff whenever they service\n       equipment authorized for classified reproduction.\n\nWithout this information, management cannot perform appropriate oversight to properly\ntrack photocopiers and ensure that appropriate controls are being implemented over them.\n\nDisposal protocols for photocopiers were not adequate\nPhotocopier disposals are not adequately tracked and documented and NARA did not\nensure that hard drives on excessed photocopiers were sanitized prior to disposal. Based\non our audit work, we identified that photocopiers have been disposed of in the last five\nyears which had the potential of having a hard drive installed on them.\n\nThe OIG obtained 17 excess property and destruction reports from the requested period\nof 2005 through 2010 to determine if any photocopiers disposed contained a hard drive.\nExcess property and destruction reports were not filed in one central location or\nsequentially. Some were filed in boxes and some online using the Standard Form 120.\nAdditionally these forms in some cases were either filled out inaccurately or were\nincomplete. None of the forms indicated whether the photocopier being excessed\ncontained a hard drive and whether the hard drive was sanitized. Therefore, we\nconcluded that photocopier disposals are not adequately tracked and we could not be\nreasonably certain that we obtained a complete listing of all photocopier disposals within\nthe last five years.\n\nWe made inquiries with the photocopier manufacturers to determine if any of the\nphotocopiers listed on those excess reports had a hard drive. We gave them the make and\nmodel to identify if the specific model had the capability of having a hard drive installed\non it. Of the 39 photocopiers that were disposed of during this time frame by the agency,\nthere were 19 photocopiers with the potential of having a hard drive installed on them\n(see below). There was no documentation available to ascertain whether hard drives were\nin fact installed on these machines or that hard drives were removed and sanitized or\ndestroyed prior to disposal.\n\n   SF 120 Report             Disposition\n      Number                    date                    Make/Model                     Quantity\n473067-5119                5/3/2005          Cannon 1150                               1\n473067-6047-0001           2/16/2006         Xerox 230DC                               14\n473067-6047-0001           2/16/2006         Xerox 220DC                               1\n473067-6348                12/15/2006        Xerox 220DC                               1\n473067-6356                1/8/2007          Xerox 220DC                               1\n883101-8212-0080           7/25/2008         Cannon IR400S                             1\n                                             Total                                     19\n\n\n                                        Page 10\n                     National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 11-07\n\n\nAdditionally, excess property reports were not always filled out properly. In seven\ninstances the photocopier make and/or model information was not documented on the\nform, in two instances the model identified was not a photocopier, and in two instances\nthe make and model were recorded incorrectly and the vendor was not able to locate the\ninformation needed to perform the audit test.\n\nAccording to NARA\xe2\x80\x99s IT Security Methodology for Media Protection Policy version 5.1,\nNARA must sanitize or destroy information system media before disposal or release for\nreuse.\n\nNARA Directive 1608 Protection of Personally Identifiable Information (PII) defines the\nrules to protect PII from unauthorized disclosure and emphasizes the role of NARA users\nin ensuring that the appropriate safeguards are in place to protect all NARA systems\ncontaining PII. This directive applies to PII in any form or format which would cover PII\nresiding on a hard drive or memory of a photocopier. Physical and technical safeguards\nthat must be in place according to this directive include the following listed below.\n\n - Encryption of data on external hard drives and properly protected when being\ntransmitted outside the agency.\n\n- Destruction of materials containing PII by shredding, burning, deleting, or other\nauthorized destruction method that ensures the data or record is unreadable or\nunrecoverable.\n\nWithout proper protocols to identify photocopiers with hard drives and ensuring that\nthose hard drives are properly sanitized prior to disposal, there is the risk that hard drives\ncontaining PII or classified information could have been exposed leaving NARA\nvulnerable.\n\nRecommendation 1\n\nThe Assistant Archivist for Administration should improve the inventory over\nphotocopiers to:\n   a) Include all photocopiers across the agency (owned and leased); and\n   b) Identify those photocopiers with hard drives, whether they are used for general or\n       classified copying, and when they are disposed.\n\nRecommendation 2\n\nThe Assistant Archivist for Administration should assign responsibility to one group to\noversee management, tracking, and disposal of photocopiers.\n\nIn addition, Assistant Archivist for Administration should assign NAA to consolidate the\nacquisition of photocopiers into one or few contracts to ensure better management of\nthem and to potentially reduce costs,\n\n\n                                         Page 11\n                      National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 11-07\n\n\nRecommendation 3\n\nThe Assistant Archivist for Administration should ensure that documentation of\nphotocopier disposals include accurate information on the make and model and also\nidentify whether the unit had a hard drive. If a hard drive is present, documentation\nshould include the method of sanitization. In addition, this information should be kept in\na central location.\n\nRecommendation 4\n\nThe Assistant Archivist for Administration should implement a policy that photocopier\nacquisitions do not include hard drives unless a valid business case is presented\nspecifying the need to have one.\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n\n\n\n                                        Page 12\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 11-07\n\n\n2. There are no policy and procedures describing security\n   measures to be taken for general use photocopiers and\n   disposal of photocopiers containing a hard drive\nThere are no documented policies describing security measures to be taken for\nphotocopiers utilized for general use, nor are there procedures to ensure that photocopier\nhard drives are sanitized or destroyed prior to disposal or at the end of the lease term.\nManagement has not developed policies and procedures in these areas because\naccountability for this area has not been assigned to any office. In addition, security\nconcerns over photocopier hard drives have recently emerged and management had not\nmade this a priority. Furthermore, NARA has focused on ensuring photocopier contract\nlanguage is updated rather than ensuring day to day procedures for photocopier use are\ncreated and implemented. The Government Accountability Office (GAO) requires\nmanagers to develop detailed policies and procedures, and to ensure the policies and\nprocedures are an integral part of agency operations. In addition, the Privacy Act\nrequires each agency to establish administrative and technical safeguards to insure the\nsecurity and confidentiality of records and to protect against any anticipated threats.\nLack of effective policies and procedures increase the risk that photocopier hard drives\nare not adequately secured and safeguarded and increase the risk of exposure of PII or\nclassified information.\n\nThere are no documented procedures or policies in place for photocopiers for general use.\nNARA does have a policy containing guidelines for copying classified information which\nprovides guidance including security measures for photocopiers used for the reproduction\nof classified material. However, no guidance has been developed for photocopiers used\nfor general use. Thus, there is no restriction on copying items containing sensitive\ninformation such as PII on these photocopiers. Most Human Resources forms, initial\ntravel forms, and background investigation forms contain a social security number and\nother PII information. Many times these forms are photocopied on a general use\nphotocopier prior to submission to the appropriate department. Additionally, the\nreceiving departments also make copies of these documents using a general use\nphotocopier.\n\n NARA also has guidance addressing the disposal of personal property and the disposal\nof hard drives regardless of the source. However, there are no procedures specifically\naddressing how to (1) dispose of photocopiers, (2) remove the hard drives, or (3)\nensure that photocopier hard drives are sanitized or destroyed prior to disposal or at the\nend of the lease term. As a result, confusion exists regarding what to do when a\nphotocopier is ready for disposal. We interviewed several employees who stated that they\nwere unsure of what to do with photocopiers at the end of their useful life. For example\none employee in NAF stated that there were 2 copiers in the warehouse "cage" ready to\nbe excessed and he was not sure if there were hard drives in them. In addition, he was not\nsure how to retrieve the hard drive, what to do with it if there was one, and who was\nresponsible for destroying the hard drive. In another example, an employee in the Center\nfor Legislative Archives (NWL) was not sure how to dispose of an old classified\n                                        Page 13\n                     National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 11-07\n\n\nphotocopier properly. There is no guidance to direct NARA employees on how to\nproperly dispose of these items. These examples further validate the need for procedures\nto be documented and communicated to all NARA employees.\n\nWe interviewed the Acting Assistant Archivist of NA and the General Counsel in NGC\nand both agreed that procedures need to be developed in these areas to ensure that the\nproper steps are taken to protect PII, classified, or other sensitive information residing on\nphotocopier hard drives.\n\nGAO\xe2\x80\x99s Standards for Internal Control in the Federal Government states, management is\nresponsible for developing the detailed policies, procedures, and practices to fit their\nagency\xe2\x80\x99s operations and to ensure that they are built into and an integral part of\noperations. Information should be recorded and communicated to management and others\nwithin the entity, who need it, and in a form and within a time frame, which enables them\nto carry out their internal control and other responsibilities.\n\nLack of policies and procedures increase the risk that vulnerable assets are not adequately\nsecured and safeguarded and increase the risk of exposure of PII or classified information.\n\nRecommendation 5\n\nThe Assistant Archivist of Administration should create a policy for security measures to\nbe taken for all photocopiers across the agency similar to the policy used for classified\nphotocopiers.\n\nRecommendation 6\n\nThe Assistant Archivist of Administration should create a procedure for the disposal of\nphotocopiers that will dovetail into NH\xe2\x80\x99s Asset Management Team Media Tracking and\nDisposal Plan. The following items should be included in the procedures:\n\n   \xe2\x80\xa2   How the photocopier hard drive should be removed or who to contact to get it\n       removed;\n   \xe2\x80\xa2   Where and how to send the hard drive;\n   \xe2\x80\xa2   Evidence should be kept to document when it was removed, where it was sent,\n       who received it, when it was destroyed and method of destruction;\n   \xe2\x80\xa2   Who maintains responsibility for ensuring this procedure is implemented\n\nThis procedure should be reviewed by NA program offices as well as NH. Finally\nupdated procedures should be posted on-line for easy reference by NARA staff.\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n\n                                         Page 14\n                      National Archives and Records Administration\n\x0c                                                                     OIG Audit Report No. 11-07\n\n\n3. Security language missing from photocopier contracts\nPhotocopier lease agreements and contracts do not include a \xe2\x80\x9ckeep disk\xe2\x80\x9d or similar clause\nas required by NARA\xe2\x80\x99s IT Security Methodology for Media Protection Policy version\n5.1. NARA did not comply with its own policy to mitigate the risks posed by potential\nexposure of sensitive information in the event a photocopier is in the possession of a\nvendor or is being replaced, disposed, or turned in after the expiration of the lease term.\nNARA\xe2\x80\x99s IT Security Methodology for Media Protection Policy version 5.1 "Media\nSanitization" states that contracts are required to include a "keep disk" clause or similar\noption in order to protect NARA from the risk of PII contained on hard drives from being\nexposed. While there have been no known security breaches, there is the risk of exposing\nsensitive information to unauthorized individuals.\n\nIn May 2010, NGC began efforts to identify photocopier contracts and agreements across\nthe agency in order to update them to include appropriate security language. According\nto NGC, photocopier contracts (whether they have a hard drive or not) are being modified\nto contain a "keep disk" clause in accordance with section 6 of NARA\'s IT Security\nMethodology for Media Protection Policy version 5.1. NGC developed language for a\n\xe2\x80\x9ckeep disk\xe2\x80\x9d clause to be included in these agreements and contracts. The clause states:\n\n        \xe2\x80\x9cIn accordance with NARA policy, NARA will take title to all electronic storage\n        devices, including but not limited to hard drives that may contain Personally\n        Identifiable Information (PII). NARA will not allow the removal of any electronic\n        storage device that may contain PII data from its facilities by a contractor,\n        including individuals performing maintenance on equipment, devices or systems.\n        This provision applies even in the event the equipment is leased. NARA will\n        handle the destruction of this hardware internally. This provision must flow down\n        to all subcontracts, including those for maintenance.\n\n        If the Vendor comes into possession of an electronic storage device that may\n        contain PII, the Vendor will immediately notify the Contracting Officer and return\n        the electronic storage device to NARA. Vendor will protect the confidentiality of\n        the electronic storage device and will not access, disclose, release, disseminate,\n        or publish any of the information on the electronic storage device.\xe2\x80\x9d\n\nNGC identified and is maintaining a list of 79 lease agreements and purchase documents\nobtained from a PRISM 2 search as well as by contacting regional and library offices. As\nof the end of our fieldwork, only 15 of the 79 lease agreements and purchase documents\nhave been modified. This is due to management waiting on vendors to respond to the\nrequest to update the contracts and management not having all pertinent information\nneeded to get contracts updated. Of the 79 lease agreements and purchase documents, 15\nare for photocopiers that do not have hard drives. So this leaves 49 contracts that have yet\nto be modified which leaves the agency at risk for exposure of PII or\n\n2\n PRISM is the automated procurement system. NAA uses this application to administer contract awards\nand maintain purchase information. The application is accessed via the NARANET network.\n                                           Page 15\n                        National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 11-07\n\n\nclassified information if hard drives remain the property of the vendor. Furthermore, no\naction has been initiated on 26 of the 79 agreements because NGC is not aware of who\nthe contract officer is for most of these agreements. Per conversation with NGC, these\ncontracts may not be active and they would need the assistance of NAA in order to\ndetermine the status and who would be responsible for updating the contract. Since there\nis no tracking of all photocopiers in a central location, management cannot be reasonably\ncertain that they have a complete listing of all photocopier leases and contracts, and\ntherefore cannot be sure all photocopier contracts and lease agreements will be updated.\n\n\nRecommendation 7\n\nThe Assistant Archivist of NA with assistance from the General Counsel should\n\n   a) Work with NAA and NAF to get a complete list of all photocopier contracts and\n      agreements to ensure all get updated to include the appropriate security language;\n   b) Continue to review and update all photocopier agreements and contracts to\n      include the proper security clause; and\n   c) Work with NAA to determine the status of the 26 agreements and initiate action\n      to get them modified if necessary.\n\nManagement Response\n\nManagement concurred with the recommendation.\n\n\n\n\n                                        Page 16\n                     National Archives and Records Administration\n\x0c                                                                                        OIG Audit Report No. 11-07\n\n\nAppendix A \xe2\x80\x93 Photocopiers With Hard Drives\n\n #    Copier Make                              Serial Number   Location                         Own or Lease\n 1    Xerox WCP35                              MYP-002285      Clinton Library                  Own\n 2    Xerox WCP32/40                           KMM-002591      Clinton Library                  Own\n 3    Xerox CC/WCP35                           MYP-002649      Clinton Library                  Own\n 4    Xerox Bookmark 40                        LBD001186N      Kennedy Library                  Own\n 5    KYOCERA KM3060                           UYE8600040      Military Record Center           Own\n 6    KYOCERA KM3060                           UYE8600038      ST Louis                         Own\n 7    RICOH AFICO 1035G                        H7720401218     Morrow                           Own\n 8    KYOCERA KM3050                           UPV7300055      Military Record Center           Own\n 9    KYOCERA KM3050                           UPV7300062      Military Record Center           Own\n 10   KYOCERA KM3050                           UPV7200034      Military Record Center           Own\n 11   KYOCERA KM3050                           UPV7300076      Military Record Center           Own\n 12   KYOCERA KM3050                           UPV7300054      Military Record Center           Own\n 13   Panasonic DPC262                         DEG44H00028     Eisenhower Library               Own\n 14   KYOCERA KM3035                           AJK3016350      Military Record Center           Own\n 15   KYOCERA KM4035                           AJL3016677      Military Record Center           Own\n 16   Cannon IR5000                            MPL62529        Morrow                           Lease\n 17   Cannon IR5000                            MPL09414        Morrow                           Lease\n 18   Cannon IR5020                            JCT18197        Atlanta Federal Records Center   Own\n 19   Cannon IR5020                            JCT18112        Atlanta Federal Records Center   Own\n 20   Cannon IR3300                            MRJ02070        Atlanta Federal Records Center   Own\n 21   Cannon IR3300                            MRJ03267        Atlanta Federal Records Center   Own\n 22   Cannon IR4570                            SKU1895         Atlanta Federal Records Center   Own\n 23   Ricoh Aficio 1035G                       H7011200327     Morrow                           Own\n 24   OCE digital Copier 3165                  166061658       Atlanta Federal Records Center   Own\n 25   Konica Minolta 500/501, machine 13468 A0R5011004757\xc2\xa0     Philadelphia                     Lease\n 26   Konica Minolta 200/350, machine 13469; ( 31139718        Philadelphia                     Lease\n 27   Konica Minolat 200/350, machine 13467; (131139684        Philadelphia                     Lease\n 28   Canon Image Runner 3300G                 MRJ02983        Carter Library                   Own\n 29   Canon Image Runner 3300G                 MPH66494        Carter Library                   Own\n 30   Xerox CC232HG                         URT158166          Carter Library                   Lease          Classified\n 31   Sharp MX-2700N                        90000472           Carter Library                   Lease\n 32   Sharp AR-M620N                        4AB00381           Reagan Library                   Lease\n 33   Konica Minolta CF3102                 3129216            Philadelphia                     Own\n 34   OCE 3165                              1660603319         Philadelphia                     Own\n\n\n\n\n                                                   Page 17\n                                National Archives and Records Administration\n\x0c                                                 OIG Audit Report No. 11-07\n\n\nAppendix B - Standard Form 120- Excess Property\nReport\n\n\n\n\n                               Page 18\n            National Archives and Records Administration\n\x0c                                                   OIG Audit Report No. 11-07\n\n\nAppendix C - Acronyms and Abbreviations\n\nGAO     Government Accountability Office\nNARA    National Archives and Records Administration\nOIG     Office of Inspector General\nPII     Personally Identifiable Information\nNGC     Office of General Counsel\nNA      Office of Administration\nNAA     Acquisition Services Division\nNL      Office of Presidential Libraries\nNR      Office of Regional Records Services\nNH      Office of Information Services\nNHT     Information Technology Services Division\nNAF     Facilities and Personal Property Management Division\nNWL     Center for Legislative Archives\n\n\n\n\n                                 Page 19\n              National Archives and Records Administration\n\x0c                                                 OIG Audit Report No. 11-07\n\n\nAppendix D - Management\xe2\x80\x99s Response to the Report\n\n\n\n\n                               Page 20\n            National Archives and Records Administration\n\x0c                                                         OIG Audit Report No. 11-07\n\n\nAppendix E - Report Distribution List\n\nArchivist of the United States\nDeputy Archivist of the United States\nAssistant Archivist, Office of Administration (NA)\nChief of Staff\nManagement Control Liaison, Policy and Planning (NPOL)\nOffice of General Counsel (NGC)\n\n\n\n\n                                      Page 21\n                   National Archives and Records Administration\n\x0c'